Description
Description
Hi!
The rule says this:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
But it actually matches this:
\\xbc[^\\\\xbe>][\\xbe>]|<[^\\\\xbe]\\xbe
Why? This makes it match our string "Gültigkeit" which encoded looks like this "G\xbcltigkeit"
Audit Logs / Triggered Rule Numbers
941310
--3234e523-H-- Message: Warning. Pattern match "\\xbc[^\\xbe>]*[\\xbe>]|<[^\\xbe]*\\xbe" at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \xbcltigkeit in tagen\x22},{\x22einstellungs_id\x22:30,\x22gruppierung\x22:\x22angebotkv\x22,\x22art\x22:\x22mandant\x22,\x22key\x22:\x22kauf_gueltigkeitsdauer\x22,\x22value\x22:\x2228\x22,\x22type\x22:\x22text\x22,\x22options\x22:null,\x22default\x22:\x2214\x22,\x22hilfetext\x22:null,\x22wartbar\x22:\x221\x22,\x22marke_id\x22:0,\x22datum_anlage\x22:\x2223.10.2014 15:06\x22,\x22datum_bearbeitung\x22:\x2223.10.2014 15:06\x22,\x22benutzer_anlage\x22:6,\x22benutzer_bearbeitung\x22:6,\x22bezeic..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] Message: Warning. Pattern match "(?i:(?:[\"'](?:;?\s*?(?:having|select|union)\b\s*?[^\\s]|\s*?!\s*?"'\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|in ..." at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \x22select\x22 found within ARGS:offerData: {\x22id\x22:3377,\x22mandant_id\x22:67,\x22offer_type_id\x22:1,\x22
75B9
offer_calculationtype_id\x22:1,\x22offer_businesscase_id\x22:1,\x22offer_status_id\x22:1,\x22kontakt_id\x22:219805,\x22kundengruppe\x22:\x22B2C\x22,\x22offer_name\x22:\x22\x22,\x22gewaehrleistung\x22:\x22\x22,\x22garantie\x22:\x22\x22,\x22bemerkung_intern\x22:\x22\x22,\x22bemerkung_extern\x22:\x22\x22,\x22offer_reference_number\x22:202101233,\x22offer_reference_external\x22:\x22\x2..." Message: Rule 7f3211923618 [id "942240"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "254"] - Execution error - PCRE limits exceeded (-8): (null). Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Warning. Pattern match "\\\\\\\\xbc[^\\\\\\\\xbe>]*[\\\\\\\\xbe>]|<[^\\\\\\\\xbe]*\\\\\\\\xbe" at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \\\\xbcltigkeit in tagen\\\\x22},{\\\\x22einstellungs_id\\\\x22:30,\\\\x22gruppierung\\\\x22:\\\\x22angebotkv\\\\x22,\\\\x22art\\\\x22:\\\\x22mandant\\\\x22,\\\\x22key\\\\x22:\\\\x22kauf_gueltigkeitsdauer\\\\x22,\\\\x22value\\\\x22:\\\\x2228\\\\x22,\\\\x22type\\\\x22:\\\\x22text\\\\x22,\\\\x22options\\\\x22:null,\\\\x22default\\\\x22:\\\\x2214\\\\x22,\\\\x22hilfetext\\\\x22:null,\\\\x22wartbar\\\\x22:\\\\x221\\\\x22,\\\\x22marke_id\\\\x22:0,\\\\x22datum_anlage\\\\x22:\\\\x2223.10.2014 15:06\\\\x22,\\\\x22datum_bearbeitung\\\\x22:\\\\x2223.10.2014 15:06\\\\x22,\\\\x22benutzer_anlage\\\\x22:6,\\\\x22benutzer_bearbeitung\\\\x22:6,\\\\x22bezeic..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Warning. Pattern match "(?i:(?:[\\\\"'|(?:c(?:onnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\\\\\)]?|u(?:nion(?:[\\\\w(\\\\s]?select| select @)|ser\\\\s*?\\\\([^\\\\\\\\)]?)|s(?:chema\\\\s?\\\\([^\\\\\\\\)]?|elect.?\\\\w?user\\\\()|in ..." at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \\x22select\\x22 found within ARGS:offerData: {\\x22id\\x22:3377,\\x22mandant_id\\x22:67,\\x22offer_type_id\\x22:1,\\x22offer_calculationtype_id\\x22:1,\\x22offer_businesscase_id\\x22:1,\\x22offer_status_id\\x22:1,\\x22kontakt_id\\x22:219805,\\x22kundengruppe\\x22:\\x22B2C\\x22,\\x22offer_name\\x22:\\x22\\x22,\\x22gewaehrleistung\\x22:\\x22\\x22,\\x22garantie\\x22:\\x22\\x22,\\x22bemerkung_intern\\x22:\\x22\\x22,\\x22bemerkung_extern\\x22:\\x22\\x22,\\x22offer_reference_number\\x22:202101233,\\x22offer_reference_external\\x22:\\x22\\x2..." [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Rule 7f3211923618 [id "942240"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "254"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]`
Your Environment
- CRS version (e.g., v3.2.0): 3.3.2
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 2.9.2-1
- Web Server and version (e.g., apache 2.4.41): Apache/2.4.29 (
- Operating System and version:Ubuntu 18.04.5
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.